Stuxnet Under the Microscope

Nytro · May 8, 2011

Stuxnet Under the Microscope

O analiza detaliata a celor de la ESET.

Aleksandr Matrosov, Senior Virus Researcher

Eugene Rodionov, Rootkit Analyst

David Harley, Senior Research Fellow

Juraj Malcho, Head of Virus Laboratory

Contents
1 INTRODUCTION ................................................................................................................................ 5
1.1 TARGETED ATTACKS ............................................................................................................................. 5
1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7
1.3 STUXNET REVEALED........................................................................................................................... 11
1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15
2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17
2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17
2.2 STUXNET TIMELINE............................................................................................................................ 19
3 DISTRIBUTION ................................................................................................................................ 24
3.1 THE LNK EXPLOIT .............................................................................................................................. 24
3.1.1 Propagation via External Storage Devices ............................................................................... 27
3.1.2 Metasploit and WebDAV Exploit .............................................................................................. 27
3.1.3 What Do DLL Hijacking Flaws and the LNK Exploit have in Common? ..................................... 28
3.2 LNK VULNERABILITY IN STUXNET .......................................................................................................... 29
3.3 THE MS10-061 ATTACK VECTOR ......................................................................................................... 31
3.4 NETWORK SHARED FOLDERS AND RPC VULNERABILITY (MS08-067) ......................................................... 34
3.5 0-DAY IN WIN32K.SYS (MS10-073) .................................................................................................... 35
3.6 MS10-092: EXPLOITING A 0-DAY IN TASK SCHEDULER ............................................................................. 40
4 STUXNET IMPLEMENTATION ........................................................................................................... 45
4.1 USER-MODE FUNCTIONALITY ................................................................................................................ 45
4.1.1 Overview of the main module .................................................................................................. 45
4.1.2 Injecting code ........................................................................................................................... 46
4.1.3 Injecting into a current process ................................................................................................ 47
4.1.4 Injecting into a new process ..................................................................................................... 50
4.1.5 Installation ............................................................................................................................... 50
4.1.6 Exported functions.................................................................................................................... 52
4.1.7 RPC Server ............................................................................................................................... 56
4.1.8 Resources ................................................................................................................................ 58
4.2 KERNEL-MODE FUNCTIONALITY ............................................................................................................. 58
4.2.1 MRXCLS.sys ............................................................................................................................... 60
4.2.2 MRXNET.sys .............................................................................................................................. 64
4.3 STUXNET BOT CONFIGURATION DATA .................................................................................................... 65
4.4 REMOTE COMMUNICATION PROTOCOL .................................................................................................. 66
CONCLUSION ......................................................................................................................................... 70
APPENDIX A ........................................................................................................................................... 71
APPENDIX B ........................................................................................................................................... 74
APPENDIX C ........................................................................................................................................... 75
APPENDIX D .......................................................................................................................................... 82
APPENDIX E ........................................................................................................................................... 84

Download:

http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

mike_vio · May 9, 2011

10 tx Nytro, sper sa inteleg ce e cu .lnk-urile alea.

Sign In

Stuxnet Under the Microscope

Recommended Posts

Nytro

mike_vio

Join the conversation

Browse

Activity

Pages